Microsoft flubs a way to disable AutoRun in XP

Susan bradley By Susan Bradley

Microsoft’s instructions for disabling AutoRun in Windows XP, which I referred to last week, pointed to an incorrect Registry key.

It’s easy to find the correct key, however, and understanding this Registry tweak can give you fine-grained control over the kinds of external media that AutoRun is allowed to work on.

Last week’s Top Story covered Microsoft’s delay in releasing an AutoRun patch for Windows XP and Server 2003. Many people want to disable AutoRun entirely, because when it runs the autorun.inf file that’s often found on CDs, USB drives, and other removable media, your machine can silently become infected. Prior to the patch, Microsoft’s official method for disabling AutoRun could be circumvented by hackers.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8.1: Out of the box

Subscribe and get our monthly bonuses - free!

Get a real feel for Windows 8.1 with a wealth of tips in this step-by-step guide. This month, Windows Secrets subscribers can download the first 2 chapters for free: Using Windows 8.1 and Using Email and the Internet. Get this excerpt and other 5 bonuses if you subscribe now!



Unfortunately, Microsoft’s Knowledge Base article about disabling AutoRun included some misinformation. The document specified a location in the Registry that can be used to disable AutoRun, but the location exists only in Vista. The key is in a different branch of the Registry in XP.

To clarify the process of configuring XP’s AutoRun settings, I’ve created a Web page with screenshots to help explain the steps once and for all.

Most security patches take effect as soon as you install them. The patches for AutoRun, by contrast, merely enable you to disable AutoRun in a way that hackers can’t get around. After installing the AutoRun update, you need to reset a Registry key to actually disable AutoRun. The setting you choose will be based on how much you trust the USB flash drives and other removable media you might use.

First off, unless you use Microsoft’s free TweakUI or a similar third-party utility, the Registry key that controls AutoRun in Vista is under HKEY_LOCAL_MACHINE; in XP it’s under HKEY_CURRENT_USER. In other words, the key in XP that you need to navigate to in the Registry Editor is as follows:

HKEY_CURRENT_USER  Software  Microsoft  Windows  CurrentVersion  Policies  Explorer

The instructions to disable AutoRun in last week’s article worked fine in Vista Home and Vista Business, where the Registry key is where Microsoft said. The instructions also worked in XP Professional, which includes the Group Policy Editor and automatically operates on the correct branch of the Registry.

The errant key location in the steps affected only users of XP Home, which doesn’t come with the Group Policy Editor. XP Home requires manual editing of the Registry key via the Regedit utility.

Disabling AutoRun, of course, means you won’t get automatic loading of content, such as camera-conversion software. You’ll need to remember (and teach others who use your PC) to use Windows Explorer or your favorite file manager to start any software that may exist on removable media. If every USB flash drives you touch is guaranteed to be free from viruses, you may decide not to disable AutoRun. But you probably can’t guarantee such a thing.

It’s likely that you’ll want to change this setting on the computers of friends and relatives. On these systems, the preferred AutoRun setting depends on which types of external media you want to block. You can block or allow some or all types of AutoRun functions. Instructions for doing so at the Annoyances.org site describe (in technical language) how you can configure AutoRun by adding up decimal values.

For example, let’s say you want to disable AutoRun for everything but CD-ROMs. To block the other media types, according to Microsoft’s cryptic documentation, you’d add 1 for unknown media, 4 for removable drives (such as USB drives), 8 for fixed drives, 16 for network drives, 64 for RAM drives, and 128 for other drives of unknown types. Add all of those decimal values together and enter the result — 221 — in the Decimal box of the NoDriveTypeAutorun Registry key.

To install the AutoRun patch, which is described in Microsoft Knowledge Base article 967715, without having to validate your computer via Windows Genuine Advantage, you can use the update described in KB article 953252 instead. This patch is exactly the same, except that you can install it without the WGA checkup.

Windows 7 won’t let you postpone updates

In a column on Feb. 5, WS contributing editor Woody Leonhard explained a crucial flaw in the forthcoming Windows 7′s User Account Control (UAC) function. Hacker code could defeat UAC in the beta of Win7, a fact amply demonstrated by blogger Long Zheng and many others besides Woody.

Microsoft initially refused to change the settings, forcing Long to make his concerns public. A few days later, Redmond changed course, announcing it would fix the problem, as Woody reported in a special news update on Feb. 11.

The situation with the weird shutdown logic of Windows 7 isn’t security-related, but is just an important to many of us. When an issue like this comes up, I wish every bug tester had the ability to muster public support the way Long did. I recall many times when Microsoft has shut down any discussion of bugs by simply labeling them “by design.”

Microsoft has already closed at least one bug ticket on the shutdown behavior in exactly this way: calling it “by design.” I disagree with Microsoft’s decision, and I think you will, too.

Here’s the problem: when you set Windows 7′s update settings to Download but do not install, the new OS behaves much differently than the same settings in XP and Vista. If I happen to be in a situation where I don’t have time to install patches, the shutdown buttons in XP and Vista currently let me turn the machine off without installing patches. (See Figure 1.)

Windows xp shutdown options
Figure 1. Windows XP lets you shut down without installing updates.

Even Windows Server 2008 allows you to shut down the computer and choose to patch at a later time. (See Figure 2.)

Windows server 2008 shutdown options
Figure 2. Windows Server 2008 gives you the same selective shutdown.

In build 7000 of the Windows 7 beta, however, there’s no option on the shutdown button to quit without installing the updates. You see only a button for the normal shutdown process, which applies the patches before the machine powers off. (See Figure 3.)

Windows 7 shutdown options
Figure 3. Windows 7′s shutdown options don’t include the no-update alternative.

I was caught off guard and found that patches were being installed as the system shut down. I had to turn the system back on to confirm that this is what had happened; it was caused by the lack of an “install patches later” choice.

Workaround for a no-update Windows 7 shutdown

Here’s the secret: the only way to shut down Win7 without installing patches is to press Ctrl+Alt+Del and then click the up-arrow by the red shutdown button. This allows the system to shut down without installing patches. (See Figure 4.)

Windows 7 ctrl-alt-delete shutdown options
Figure 4. The only way to shut down Windows 7 without applying patches is via Ctrl+Alt+Delete.

I’m aware that build 7000 is only a beta of Win7 and not a release candidate. I honestly don’t know whether this behavior will be included in the final version. If it is, though, I consider it to be a bad design decision that will give many Windows 7 users an unsatisfactory patching experience.

I’m not the only Win7 beta tester with concerns about the way Microsoft is passing over bugs in its zeal to get the product out the door. Don’t get me wrong: I like Windows 7 and think you’ll like it as well, once you see it in action. However, I’m concerned that a squeaky wheel is what it takes these days to goad Microsoft into making some required alterations. I hope I’m wrong and that Win7′s lack of this important shutdown option will get fixed.

Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2009-03-12:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.